Red, Blue and Purple Teams – Let the Battle Commence
Attackers, Defenders and a Referee
A red team exercise is an “all-out” effort to penetrate an organisation’s security defences. The objective is to gain access to systems via physical breaches, computer networks, phone systems, RF (radio frequency) systems and employee manipulation.
The concept derives from simulation exercises run in the military and mirrors a real-world attack scenario. It’s designed to expose shortfalls, vulnerabilities and loopholes.
This exercise cuts through any vagueness or unfounded assumptions surrounding an organisation’s ability or readiness to deal with such an attack were it to happen for real.
In this article,we’ll explore what happens when the gloves come off and battle commences in earnest.
Each team in the simulation has a role to play:
- The red team are the attackers and represent malicious hackers or other threat actors.
- The blue team are the defenders of the organisation under attack.
- As with any fight, it’s a good idea to have a “referee” – that role falls to the purple team who oversee the process and ensure maximum benefit is derived from the exercise.
Thanks to Security Operations Centre Analyst Amy Hargreaves and Security Consultant James Chamberlain for taking us on this tour of the roles and objectives of red, blue and purple teams.
ON THE ATTACK – THE RED TEAM
The red team is made up of skilled ethical hackers whose job is to safely exploit vulnerabilities in the target’s physical as well as cybersecurity perimeters. Team members are hired externally and are unconnected to the target organisation.
The red team’s objective is to mount a highly realistic attack against the target organisation.
They’ll use the latest hacking techniques and tools to infiltrate the target’s defences. Attackers might write their own malware and devise unique attack vectors; just as malicious hackers would do in a genuine assault.
In contrast to a traditional penetration test using “loud” techniques that can be readily detected, a red team’s objective is to be stealthy and do everything they can to avoid being discovered.
Many organisations are confident their systems and security measures are hard to penetrate, but the red team will look for the weakest link to crack their perimeter defences wide open.
The red team is free to use whatever techniques it sees fit to safely accomplish its mission. They might turn up at the target’s offices disguised as anything from a delivery driver to a maintenance engineer who wants to quickly service the photocopier.
Once access is gained to the premises, it’s a simple matter of discreetly inserting a USB drive in a PC and their job is done.
THE RED TEAM’S OBJECTIVES AND METHODOLOGIES
The red team will likely use open source intelligence (OSINT) for their initial reconnaissance and to collect information on their target.
They will attempt to compromise the target’s security by breaching its physical barriers, extracting information and infiltrating systems, while avoiding detection by the blue team.
The red team might deploy command and control servers (C&C or C2) to establish communication with, and take over, the target’s computer network.
Attacks can occur quickly and unexpectedly which makes it very difficult for the blue team to neutralise the threat before the red team achieves its objective.
They will readily exploit weaknesses and bugs in their target’s systems to show up gaps in their technical infrastructure. These gaps can ultimately be plugged to improve the organisation’s overall security posture.
Hostile activity will include sophisticated physical and digital penetration testing, designed to give a solid assessment of the blue team’s defences. The red team is cunning and will also introduce decoys designed to throw the blue team off the scent.
IN DEFENCE – THE BLUE TEAM
The blue team is made up of the company’s in-house security personnel, often from within its Security Operations Centre (SOC). The SOC comprises highly trained analysts whose job is to improve their organisation’s defences, working 24/7.
The blue team’s objective is to detect, counter and weaken the red team.
The attack exercise is designed to improve the blue team’s skills by practising a simulation of a real-world attack.
Many threats, such as malware and phishing emails, will be intercepted by automated software e.g. endpoint security products and threat detection tools. The blue team proactively and reactively adds vital human intelligence to these technologies.
The blue team will identify and neutralise more sophisticated attacks. They will carefully monitor identified and emerging threats to defend their organisation preemptively.
THE BLUE TEAM’S OBJECTIVES AND METHODOLOGIES
The blue team must understand each phase of an incident including suspicious traffic patterns and other indicators of compromise. They must respond accordingly, rapidly closing down any threat.
They should identify the threat actor’s (red team’s) command and control servers and block their connectivity to the target.
The blue team will perform forensic testing and analysis of their organisation’s various operating systems, including any third-party systems.
They’ll perform traffic and data flow analysis by reviewing log data. Using a security information and event management (SIEM) platform, they’ll detect live intrusions and triage alarms in real-time.
The blue team will gather information on new threats and prioritise the right action relative to the severity of the risk posed.
ENSURING FAIR PLAY – THE PURPLE TEAM
The purple team is generally made up of security analysts and/or the organisation’s senior security personnel.
The purple team’s objective is to work alongside the red and blue teams, analysing the big picture and how the teams are working together. They will recommend adjustments they feel appropriate or note them for the future.
The purple team can become more of a concept than a function. In fact, if the red and blue team work well together it may become redundant.
Overall, the purple team should assume the mindset of the other two teams and work with both as appropriate.
For example, the purple team might work with the blue team to see how events are being detected, then switch to the red team to review how they’re subverting the blue team’s efforts.
The purple team has a responsibility to oversee results and coordinate any necessary remedial action, such as patching vulnerabilities and employee awareness training.
Ultimately, the purple team will help their organisation derive maximum benefit from the exercise and apply lessons learned to ensure stronger defences as a result.
Want to check how good your organisation’s security is? Click here.
The major benefit of performing a red teaming exercise is the potential for an organisation to attain a valuable shift in perspective when it comes to their security procedures.
The red team works independently of the target company and will likely challenge their thinking in general, and their security presumptions in particular.
The outcome of a red teaming exercise is an unbiased overview of the organisation’s strengths and weaknesses – useful to help decision making and avoid nasty surprises going forward.